secrets
Stores arbitrary per-tenant secrets (API keys, tokens, credentials) encrypted at rest using AES-256 with a KEK loaded from KUMIKO_SECRETS_MASTER_KEY_V1 (and successive versions for rotation). Read a secret in handlers via ctx.secrets.get(tenantId, handle), which automatically appends a tenantSecretRead audit event so every access is traceable. A rotate job re-encrypts all envelopes after a KEK version bump.
Dependencies
Section titled “Dependencies”- Requires: none
- Activation: always on (not toggleable)